AWS has launched a Directory Service that performs many of the functions of Microsoft's Azure Active Directory, but the company stopped short of positioning the new service as a total replacement for its cloud rival's identity store.
The Amazon Web Services (AWS) Directory Service contains two main options for users. First is the AD Connector, which extends an existing on-premises Active Directory (AD) environment into Amazon Virtual Private Clouds, and Simple AD, which provides a completely cloud-based user directory service.
Technically, Simple AD can function as an identity store for other cloud services, such as Salesforce.com or Dropbox, but it doesn't come pre-integrated as does Azure Active Directory. The AWS blog frames the ideal use case for Simple AD as a way for users to run Windows applications on the Elastic Compute Cloud, or to centrally control access to AWS applications such as Amazon Workspaces or Amazon Zocalo.
Some Amazon customers have already found a cloud approach to Active Directory which offers more breadth than AD Connector or Simple AD. For example, a startup called JumpCloud is already selling a cloud-based LDAP directory which has garnered some attention.
"[The Amazon service] would be nice for our Windows servers, but it leaves out more than half of our fleet," said Ben Good, director of engineering operations for Clip Interactive, a digital media company based in Boulder, Colo., which already uses JumpCloud to connect end users to both Windows and Linux servers in the Amazon cloud.
Clip could connect its Linux servers via Samba, but that has a few drawbacks, such as added complexity in server configurations, Good said.
"It looks to me like they are not targeting deployments like ours and are more focused on bringing directory services to their workstation and end-user services, so we’ll be sticking with JumpCloud," Good said.
Other IT pros are more interested in services that can span multiple cloud service providers.
"We had to implement an OpenLDAP/AD solution some years back in order to manage our scale," said Jim O’Neill, CIO for hosted marketing software company HubSpot Inc., based in Cambridge, Mass. "It's been working great and we've integrated that to other [identity and access management] and cloud platforms that span multiple providers."
Still, this is a positive step for AWS even if it hasn’t totally overtaken Azure Active Directory in terms of out-of-the-box feature set, analysts said
"They’ve needed this for years," said Edward Haletky, CEO of the Virtualization Practice LLC based in Austin, Texas. "Amazon did this as a way to allow users to control their own credentials, which is vital."
The service must be easily auditable on both sides, Haletky said. Audit data for WorkSpaces, for example, comes from Windows Event logs from within the Desktops while the AWS management console uses a different mechanism.
"A combined audit would be useful," he said.
Group Policies in on-premises Active Directory are also automatically transferred to the AD Connector, and users can set policies such as multi-factor authentication within Simple AD, which is another important feature, according to Haletky.
Meanwhile, if Amazon positions Simple AD as a centralized identity store for other clouds, "that could catch them up to Microsoft", Haletky added. "But can Amazon be that for everybody else? Being the directory service for enterprises is a different discussion – there’s a lot of competition to federate directory services."
Amazon’s AD Connector and Simple AD come in two sizes: small, with support for up to 10,000 users and priced at $0.05 per hour, and large, with support for up to 100,000 users and priced at $0.15 per hour. The products are available now in the US East (Northern Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo) and Europe (Ireland) regions.